aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorMarcello Coutinho <marcellocoutinho@gmail.com>2013-11-11 22:33:00 -0200
committerMarcello Coutinho <marcellocoutinho@gmail.com>2013-11-11 22:33:00 -0200
commit5faedaa5c007ba545d197f81891115d1da1cc14a (patch)
treef205affc5f68842879cd902211dd9a4b1d34ac37 /config
parent361b61a7a9030efbe241b51726967a0b1a370d5d (diff)
downloadpfsense-packages-5faedaa5c007ba545d197f81891115d1da1cc14a.tar.gz
pfsense-packages-5faedaa5c007ba545d197f81891115d1da1cc14a.tar.bz2
pfsense-packages-5faedaa5c007ba545d197f81891115d1da1cc14a.zip
Apache - improve modsecurity config file creation
Diffstat (limited to 'config')
-rw-r--r--config/apache_mod_security-dev/apache.template64
-rwxr-xr-xconfig/apache_mod_security-dev/apache_balancer.xml3
-rw-r--r--config/apache_mod_security-dev/apache_mod_security.inc75
-rw-r--r--config/apache_mod_security-dev/apache_mod_security.template10
-rw-r--r--config/apache_mod_security-dev/apache_mod_security_groups.xml42
-rw-r--r--config/apache_mod_security-dev/apache_mod_security_manipulation.xml1
-rw-r--r--config/apache_mod_security-dev/apache_view_logs.php2
7 files changed, 106 insertions, 91 deletions
diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template
index 93de58af..9147452c 100644
--- a/config/apache_mod_security-dev/apache.template
+++ b/config/apache_mod_security-dev/apache.template
@@ -5,69 +5,6 @@
$mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n";
}
-/*
-<IfModule mod_security2.c>
-
-
- # Turn the filtering engine On or Off
- SecFilterEngine On
-
- # XXX Add knobs for these
- SecRuleEngine On
- SecRequestBodyAccess On
- SecResponseBodyAccess On
-
- SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit}
- SecRequestBodyLimit {$secrequestbodylimit}
-
- {$mod_security_custom}
-
- SecResponseBodyMimeTypesClear
- SecResponseBodyMimeType (null) text/plain text/html text/css text/xml
-
- # XXX Add knobs for these
- SecUploadDir /var/spool/apache/private
- SecUploadKeepFiles Off
-
- # The audit engine works independently and
- # can be turned On of Off on the per-server or
- # on the per-directory basis
- SecAuditEngine {$secauditengine}
-
- # XXX Add knobs for these
- # Make sure that URL encoding is valid
- SecFilterCheckURLEncoding On
-
- # XXX Add knobs for these
- # Unicode encoding check
- SecFilterCheckUnicodeEncoding On
-
- # XXX Add knobs for these
- # Only allow bytes from this range
- SecFilterForceByteRange 1 255
-
- # Help prevent the effects of a Slowloris-type of attack
- # $secreadstatelimit
-
- # Cookie format checks.
- SecFilterCheckCookieFormat On
-
- # The name of the audit log file
- SecAuditLog logs/audit_log
-
- #http-guardian Anti-dos protection
- {$SecGuardianLog}
-
- # Should mod_security inspect POST payloads
- SecFilterScanPOST On
-
- # Include rules from rules/ directory
- {$mod_security_rules}
-
-</IfModule>
-
-*/
-
$apache_dir=APACHEDIR;
$apache_config = <<<EOF
##################################################################################
@@ -96,6 +33,7 @@ $apache_dir=APACHEDIR;
# with ServerRoot set to "/usr/local" will be interpreted by the
# server as "/usr/local//var/log/foo_log".
+{$mod_security}
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml
index 3c8de686..16779158 100755
--- a/config/apache_mod_security-dev/apache_balancer.xml
+++ b/config/apache_mod_security-dev/apache_balancer.xml
@@ -102,7 +102,8 @@
<columnitem>
<fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
- </columnitem>
+ </columnitem>
+ <movable>on</movable>
</adddeleteeditpagefields>
<fields>
<field>
diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc
index 76208c70..91f0ff35 100644
--- a/config/apache_mod_security-dev/apache_mod_security.inc
+++ b/config/apache_mod_security-dev/apache_mod_security.inc
@@ -3,7 +3,7 @@
apache_mod_security.inc
part of apache_mod_security package (http://www.pfSense.com)
Copyright (C) 2009, 2010 Scott Ullrich
- Copyright (C) 2012 Marcello Coutinho
+ Copyright (C) 2012-2013 Marcello Coutinho
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,7 @@ else
// End of system check
define ('MODSECURITY_DIR','crs');
// Rules directory location
-define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR);
+define("RULES_DIRECTORY", APACHEDIR . "/". MODSECURITY_DIR);
function apache_textarea_decode($base64){
return preg_replace("/\r\n/","\n",base64_decode($base64));
}
@@ -134,7 +134,7 @@ function apache_mod_security_resync() {
$write_config++;
$config['installedpackages']["modsecurityfiles{$dir}"]['config']=array();
while (false !== ($entry = readdir($handle))) {
- if (preg_match("/(\S+).conf/",$entry,$matches))
+ if (preg_match("/(\S+).conf$/",$entry,$matches))
$config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]);
}
closedir($handle);
@@ -296,7 +296,7 @@ function generate_apache_configuration() {
$options.=($server['routeid'] ? " route={$server['routeid']}" : "");
$options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : "");
- if (isset($server['ping'])){
+ if (isset($server['ping']) && $server['ping']!=""){
$options.= " ping={$server['ping']}";
$options.=($server['ttl'] ? " ttl={$server['ttl']}" : "");
}
@@ -311,7 +311,47 @@ function generate_apache_configuration() {
//write balancer conf
file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX);
}
-
+ // configure modsecurity group options
+ //chroot apache http://forums.freebsd.org/showthread.php?t=6858
+ if (is_array($config['installedpackages']['apachemodsecuritygroups'])){
+ unset($mods_group);
+ $i=0;
+ $write_config=0;
+ foreach ($config['installedpackages']['apachemodsecuritygroups']['config'] as $mods_groups){
+ //RULES_DIRECTORY
+ $mods_group[$mods_groups['name']]="Include ".RULES_DIRECTORY ."/modsecurity_{$mods_groups['name']}_crs_10_setup.conf\n";
+ if ($mods_groups['crs10']==""){
+ if (file_exists(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')){
+ $config['installedpackages']['apachemodsecuritygroups']['config'][$i]['crs10']=base64_encode(file_get_contents(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example'));
+ $write_config++;
+ }
+ }
+ file_put_contents(RULES_DIRECTORY ."/modsecurity_{$mods_groups['name']}_crs_10_setup.conf",apache_textarea_decode($config['installedpackages']['apachemodsecuritygroups']['config'][$i]['crs10']),LOCK_EX);
+
+ foreach (split(",",$mods_groups['baserules']) as $baserule){
+ $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/base_rules/{$baserule}.conf\n";
+ }
+ foreach (split(",",$mods_groups['optionalrules']) as $baserule){
+ $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/optional_rules/{$baserule}.conf\n";
+ }
+ foreach (split(",",$mods_groups['slrrules']) as $baserule){
+ $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/slr_rules/{$baserule}.conf\n";
+ }
+ foreach (split(",",$mods_groups['experimentalrules']) as $baserule){
+ $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/experimental_rules/{$baserule}.conf\n";
+ }
+ $i++;
+ }
+ if ($write_config > 0)
+ write_config("load crs 10 setup file to modsecurity group {$mods_groups['name']}");
+ }
+ //print "<PRE>";
+ //var_dump($mods_group);
+
+ //mod_security settings
+ if (is_array($config['installedpackages']['apachemodsecuritysettings'])){
+ $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0];
+ }
//configure virtual hosts
$namevirtualhosts=array();
$namevirtualhosts[0]=$global_listen;
@@ -389,7 +429,10 @@ EOF;
$vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n";
if ($backend['compress']== "no")
$vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n";
- if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){
+ if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){
+ $vh_config.=$mods_group[$backend['modsecgroup']];
+ }
+ if (is_array($config['installedpackages']['apachemodsecuritymanipulation']) && $mods_settings['enablemodsecurity']=="on"){
foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){
if ($backend['modsecmanipulation'] == $manipulation['name']){
if (is_array($manipulation['row']))
@@ -409,7 +452,7 @@ EOF;
// check/fix perl version on mod_security util files
$perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl");
foreach ($perl_files as $perl_file){
- $file_path=rules_directory."/util/";
+ $file_path=RULES_DIRECTORY."/util/";
if (file_exists($file_path.$perl_file)){
$script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file));
file_put_contents($file_path.$perl_file,$script,LOCK_EX);
@@ -426,12 +469,9 @@ EOF;
}
}
- //mod_security settings
- if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){
- $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0];
- if ($mods_settings!="")
- $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\"";
- }
+
+ if ($mods_settings!="")
+ $SecGuardianLog="SecGuardianLog \"|".RULES_DIRECTORY."/util/httpd-guardian\"";
//fix http-guardian.pl block bins
//$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib;
@@ -628,19 +668,20 @@ EOF;
$mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom'];
// Process and include rules
- if(is_dir(rules_directory)) {
+ if(is_dir(RULES_DIRECTORY)) {
$mod_security_rules = "";
- $files = return_dir_as_array(rules_directory);
+ $files = return_dir_as_array(RULES_DIRECTORY);
foreach($files as $file) {
- if(file_exists(rules_directory . "/" . $file)) {
+ if(file_exists(RULES_DIRECTORY . "/" . $file)) {
// XXX: TODO integrate snorts rule on / off thingie
- $file_txt = file_get_contents(rules_directory . "/" . $file);
+ $file_txt = file_get_contents(RULES_DIRECTORY . "/" . $file);
$mod_security_rules .= $file_txt . "\n";
}
}
}
#include file templates
+ include ("/usr/local/pkg/apache_mod_security.template");
include ("/usr/local/pkg/apache.template");
file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX);
diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template
index e5a2c864..f6ad6e3e 100644
--- a/config/apache_mod_security-dev/apache_mod_security.template
+++ b/config/apache_mod_security-dev/apache_mod_security.template
@@ -1,8 +1,8 @@
<?php
- // Mod_security enabled?
- if($modsec_settings['enablemodsecurity']) {
- $enable_mod_security = true;
- $mod_security = <<< EOF
+// Mod_security enabled?
+if($mods_settings['enablemodsecurity']=="on") {
+ $enable_mod_security = true;
+ $mod_security = <<< EOF
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
@@ -208,3 +208,5 @@ SecArgumentSeparator &
#
SecCookieFormat 0
+EOF;
+} \ No newline at end of file
diff --git a/config/apache_mod_security-dev/apache_mod_security_groups.xml b/config/apache_mod_security-dev/apache_mod_security_groups.xml
index 92b41243..315d2de0 100644
--- a/config/apache_mod_security-dev/apache_mod_security_groups.xml
+++ b/config/apache_mod_security-dev/apache_mod_security_groups.xml
@@ -74,14 +74,20 @@
</tab>
</tabs>
<adddeleteeditpagefields>
+ <movable>on</movable>
<columnitem>
<fielddescr>Name</fielddescr>
<fieldname>name</fieldname>
</columnitem>
<columnitem>
+ <fielddescr>Logging</fielddescr>
+ <fieldname>secauditengine</fieldname>
+ </columnitem>
+ <columnitem>
<fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
</columnitem>
+
</adddeleteeditpagefields>
<fields>
<field>
@@ -94,6 +100,7 @@
<description>Enter group name</description>
<type>input</type>
<size>25</size>
+ <required/>
</field>
<field>
<fielddescr>Description</fielddescr>
@@ -102,6 +109,7 @@
<type>input</type>
<size>45</size>
</field>
+
<field>
<fielddescr>Base Rules</fielddescr>
<fieldname>baserules</fieldname>
@@ -182,26 +190,50 @@
<option><name>log everything, including very detailed debugging information</name><value>9</value></option>
</options>
</field>
-
<field>
- <name>Custom options</name>
+ <name>mod_security crs 10 setup</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>mod_security crs 10 setup</fielddescr>
+ <fieldname>crs10</fieldname>
+ <dontdisplayname/>
+ <usecolspan2/>
+ <description><![CDATA[<b>modsecurity_crs_10_setup.conf file.</b><br>Leave empty to load setup defaults.]]></description>
+ <type>textarea</type>
+ <encoding>base64</encoding>
+ <rows>15</rows>
+ <cols>90</cols>
+ </field>
+ <field>
+ <name>Custom mod_security ErrorDocument</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Custom mod_security ErrorDocument</fielddescr>
<fieldname>errordocument</fieldname>
- <description></description>
+ <dontdisplayname/>
+ <usecolspan2/>
+ <description>Custom mod_security ErrorDocument.</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>10</rows>
- <cols>75</cols>
+ <cols>90</cols>
+ </field>
+ <field>
+ <name>Custom mod_security rules</name>
+ <type>listtopic</type>
</field>
<field>
<fielddescr>Custom mod_security rules</fielddescr>
<fieldname>modsecuritycustom</fieldname>
+ <dontdisplayname/>
+ <usecolspan2/>
<description>Paste any custom mod_security rules that you would like to use</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>10</rows>
- <cols>75</cols>
+ <cols>90</cols>
</field>
</fields>
<custom_php_resync_config_command>
diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml
index 54738d83..ab681c66 100644
--- a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml
+++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml
@@ -82,6 +82,7 @@
<fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
</columnitem>
+ <movable>on</movable>
</adddeleteeditpagefields>
<fields>
<field>
diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php
index da82baaa..77c14176 100644
--- a/config/apache_mod_security-dev/apache_view_logs.php
+++ b/config/apache_mod_security-dev/apache_view_logs.php
@@ -96,7 +96,7 @@ function showLog(content,url,logtype)
<?php
$tab_array = array();
$tab_array[] = array(gettext("Apache"), true, "/pkg_edit.php?xml=apache_settings.xml&amp;id=0");
- $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml");
+ $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml");
display_top_tabs($tab_array);
?>